Fun all year round until your Twitter account gets compromised
The popular "Round Year Fun" Twitter apps ("My Twitter Family", "My Twitter Crush", etc) are actually malware that will force you to follow the customers of a shady follower sales site
If you’ve been on Twitter for any length of time, you’ve probably encountered tweets from Round Year Fun: a set of “Twitter games” such as “My Twitter Family”, “My Twitter Interaction Group”, “My Twitter Crush”, “My Twitter Worth”, and “How and When Will You Die?”. Most of these basically just generate whimsical graphics showing accounts that you frequently interact with and post them to your Twitter account. It’s all just a bit of harmless fun and games, right?
The Round Year Fun apps request an impressive list of permissions, which enable them to do basically anything with your Twitter account (if granted). This is partially due to how Twitter app permissions work, as it’s impossible for an app to request permission to post a tweet without also requesting basically all the rest of the stuff on that list. However, Round Year Fun abuses the granted permissions by automatically following various accounts without disclosing that it does so, and then muting them so that the legitimate user of the account doesn’t notice the unwanted follows. As we’ll see shortly, the accounts that Round Year Fun surreptitiously follows are the customers of a shady follower sales site, and if you use the Round Year Fun apps, your account becomes part of the site’s inventory.
Every tweet posted to Twitter is tagged with the client app used to tweet it (“Twitter Web App”, “Twitter for iPhone”, “Twitter for Android”, etc), and the tweets posted by Round Year Fun are no exception. In a possible attempt to make it harder for Twitter to completely eliminate, Round Year Fun tweets via a variety of apps at any given time. These apps have names that consist of three words (“Place Any Here”, “Your Around Fun”, etc) followed by a random hexadecimal number. In the 7-day period from November 15th - 21st, 2022, Round Year Fun tweets were posted via at least 43 distinct apps.
Who’s getting involuntary followers from Round Year Fun, and how? Currently, the accounts with the largest number of Round Year Fun followers are pretty much all cryptocurrency/NFT-themed accounts. (This hasn’t always been the case; we’ll take a look a bit later on at some fake journalist accounts from 2021 with Round Year Fun followers.) Several of the accounts with recent Round Year Fun followers also have astroturfed followers from other sources.
With a bit of Internet detective work, we can figure out where the Round Year Fun followers are being sold.
In an interesting coincidence that isn’t a coincidence at all, Round Year Fun’s various domains (roundyearfun.org, funaroundy.click, etc) share an IP address with realactivefollowers.com, a website that claims to sell “Real Twitter Followers” for the not-so-low price of $299.99 for 10,000 followers. Other services offered include Twitter likes and, most interestingly, “Elevated Twitter Developer Accounts” — in other words, accounts that have been approved for access to the Elevated level of Twitter’s developer API, which offers higher rate limits than the basic level, as well as the ability to create a larger number of distinct apps and API keys (useful if you want to automate a lot of Twitter accounts).
At one point, realactivefollowers.com had a free trial option that made it easy to empirically confirm that the followers provided by the site are accounts that have used one or more of the Round Year Fun apps. Using the free trial option on test account @DrunkAlexJones resulted in @DrunkAlexJones quickly gaining a batch of ~50 new followers, most of whom had recent Round Year Fun tweets.
A bit of digging on SEO forum Black Hat World reveals a user named silentwandererr that may be the brains behind realactivefollowers.com/Round Year Fun. Among other things, this user reveals that they have somehow obtained “an unlimited amount of Twitter API Keys”, some of which are presumably being sold on realactivefollowers.com (the “Elevated Twitter Developer Accounts”) while others are powering Round Year Fun’s armada of Twitter apps.
Archived copies of some of silentwandererr’s Black Hat World posts:
A variety of Twitter users from a variety of countries and walks of life have partaken of the services of realactivefollowers.com/Round Year Fun over the years. Two of the more interesting accounts with large numbers of Round Year Fun followers were a pair of alleged journalists that became active in mid-2021: “Jessica Claire” (@jessica05181), supposedly a reporter for The Guardian, and “Kris Harrison” (@kris_verma1984), supposedly affiliated with the Sydney Morning Herald. A pair of Google searches reveals no evidence of that either of the alleged reporters has ever written for the news websites they claim to be employed by, however. (Both of these accounts were subsequently suspended by Twitter.)
Both of these two “journalist” accounts received at least five thousand hijacked followers from Round Year Fun. The real counts of Round Year Fun followers are likely substantially higher, as not all accounts that have used Round Year Fun in the past can be positively identified (for example, protected accounts or accounts that have deleted their Round Year Fun tweets).
Both of the two alleged “journalist” accounts have also been renamed at least once. @jessica05181 (“Jessica Claire”) was previously named @Adrian84474494 and @thrawedmclag at various points in time, and @kris_verma1984 (“Kris Harrison”) was previously named @addiaeeprint and went by “Maria Pia” rather than “Kris Harrison”.
Interestingly, both of these fake journalists tweeted political content (including very similarly-styled cartoons) supporting the Chinese government and attacking Chinese billionaire Guo Wengui and far-right US propagandist Steve Bannon. The “Kris Harrison” account also criticized both major US political parties and NATO. Neither of the fake journalist accounts at any point tweeted a link to any of their alleged “journalism”.
If you’ve used one or more of the Year Round Fun apps, you can revoke its access to your account and prevent it from taking further actions on your behalf. (Screenshots show the steps for revoking access using the Twitter website, phone apps are similar.)
The research into Round Year Fun/realactivefollowers.com in this article originally appeared in this pair of Twitter threads by @ZellaQuixote and myself:
